MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c
SHA3-384 hash: bea1577d619f92b6ced1bce3796fe842d8b86443693914d336689fa314f8d1da7f553a68293db1512834309a8d6b2423
SHA1 hash: 5aa7999c8ce0af9372362024a2dc8fa156da311f
MD5 hash: aacfb5db7ad135489ed672b5940cbd43
humanhash: cold-leopard-april-orange
File name:aacfb5db7ad135489ed672b5940cbd43.exe
Download: download sample
File size:1'608'192 bytes
First seen:2020-12-22 12:29:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:/MT0Ad7cMYpNILqWCLPXgd7+qugEbJU1jPFb:/7Nsxpug6JU1DFb
Threatray 38 similar samples on MalwareBazaar
TLSH 2B75E035AF58563AF17AAB7CC2B02141A7EDA7D3A707C99D2CB511C90B27A038EC153D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aacfb5db7ad135489ed672b5940cbd43.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 13:33:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74cf28ef-6555-452d-8d9a-0c3edf6bf419

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108855/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42726.8967.15384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system executable file
Sending a UDP request
Creating a window
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568380
Signature
.NET source code contains very large strings
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333260 Sample: iEchB4J2pv.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected AntiVM_3 2->81 83 12 other signatures 2->83 8 iEchB4J2pv.exe 1 2->8         started        12 WmiPrvSE.exe 1 2->12         started        14 Memory Compression.exe 1 2->14         started        16 2 other processes 2->16 process3 file4 69 C:\Users\user\AppData\...\iEchB4J2pv.exe.log, ASCII 8->69 dropped 93 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->93 95 Drops PE files with benign system names 8->95 97 Injects a PE file into a foreign processes 8->97 18 iEchB4J2pv.exe 1 14 8->18         started        22 iEchB4J2pv.exe 8->22         started        99 Multi AV Scanner detection for dropped file 12->99 101 Machine Learning detection for dropped file 12->101 24 WmiPrvSE.exe 12->24         started        26 WmiPrvSE.exe 12->26         started        28 WmiPrvSE.exe 12->28         started        30 Memory Compression.exe 14->30         started        32 Memory Compression.exe 14->32         started        34 lsass.exe 16->34         started        36 2 other processes 16->36 signatures5 process6 file7 61 C:\Users\Public\Videos\lsass.exe, PE32 18->61 dropped 63 C:\Recovery\Memory Compression.exe, PE32 18->63 dropped 65 C:\PerfLogs\WmiPrvSE.exe, PE32 18->65 dropped 67 5 other malicious files 18->67 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 38 lsass.exe 1 18->38         started        41 schtasks.exe 1 18->41         started        43 schtasks.exe 1 18->43         started        45 2 other processes 18->45 signatures8 process9 signatures10 87 Multi AV Scanner detection for dropped file 38->87 89 Machine Learning detection for dropped file 38->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->91 47 lsass.exe 38->47         started        51 lsass.exe 38->51         started        53 conhost.exe 41->53         started        55 conhost.exe 43->55         started        57 conhost.exe 45->57         started        59 conhost.exe 45->59         started        process11 dnsIp12 71 ipinfo.io 216.239.34.21, 443, 49747 GOOGLEUS United States 47->71 73 vh420783.eurodir.ru 185.154.54.5, 49744, 80 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 47->73 75 Protects its processes via BreakOnTermination flag 47->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 12:30:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2a5ec1ff4f810763ca38afc292dfc2d6d39242d2c5a6f4dde705b195357f3d15
43456ccf78231f448437d34b0d8e0f539fe2713743928d8bba119207b8b5f22a
63301b24f3d0794ef1dfac023a0eb80f731e88f270f56060c82e6de18710fe28
7d47aae61d6960e7900bb2102b481114a8d948f13cc404082f376786e88959ad
84225b33081eeb824cd8bec4f9ae6415d8b85794e41a0871d853ba3f6252ea99
8e2f79bba0279db48c4dee8c6a464eff4765c44be651b0368cc4fb5d3cca9766
ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c
cfb1834c33817d2fb697bd75004827c5d888e6f62e5db56d2381014e58290821
ecb91c22cca673fa08164d701549383c056b438d65e1f036d4fc98cd53abeb0b
f9e0e3eb49ce4d6156f30deddef92e6b750d24ccafff82afdbe842244894c156
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201222-zyb8llryha/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/326f1cac-784f-4f33-8e41-976503a786b3/
SH256 hash:
dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c
MD5 hash:
aacfb5db7ad135489ed672b5940cbd43
SHA1 hash:
5aa7999c8ce0af9372362024a2dc8fa156da311f
Link:
https://www.unpac.me/results/326f1cac-784f-4f33-8e41-976503a786b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938119/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108855/

Comments